Submitted by
(... press space for next slides ...)
Pundit Gem - Minimal authorization through OO design and pure Ruby classes.
It is a really simple Ruby Gem, that does nothing more that you could have done yourself. Here is the power!
Pundit set some helpers to :
gem "pundit"
Include Pundit in your application controller:
class ApplicationController < ActionController::Base include Pundit protect_from_forgery end
Application Controller
class ApplicationController < ActionController::Base# Includes Authorization mechanisminclude Pundit# Prevent CSRF attacks by raising an exception.# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception# Globally rescue Authorization Errors in controller.# Returning 403 Forbidden if permission is deniedrescue_from Pundit::NotAuthorizedError, with: :permission_denied
privatedef permission_deniedhead 403endend
Optionally, you can run the generator, which will set up an application policy with some useful defaults for you:
rails g pundit:install
Policy are placed in
app/policies/
class ApplicationPolicyattr_reader :user, :recorddef initialize(user, record)@user = user@record = recordenddef user_activities@user.roles.select(:activities).distinct.map(&:activities).flattenend
def scopePundit.policy_scope!(user, record.class)endend
class PostPolicy < ApplicationPolicy
attr_reader :user, :post
def initialize(user, post)
@user = user
@post = post
end
def update?
user.admin? or not post.published?
end
end
Supposing that you have an instance of class Post, Pundit now lets you do this in your controller:
def update@post = Post.find(params[:id])authorize @postif @post.update(post_params)redirect_to @postelserender :editendend
class PostPolicy < ApplicationPolicyclass Scopeattr_reader :user, :scopedef initialize(user, scope)@user = user@scope = scopeend
def resolveif user.admin?scope.allelsescope.where(:published => true)endendenddef update?user.admin? or not post.published?endend
You can now use this class from your controller via the policy_scope method:
def index
@posts = policy_scope(Post)
end
There is a lot more out there
Make sure you check
[ https://github.com/elabs/pundit ]